Tuesday, December 20, 2005

Gone Phishing

It’s a damn good job that many people are stupid. Especially the criminals.

First of all, let me explain what ‘phishing’ is.

Phishing, in a nutshell, is when somebody sends out a few million fraudulent emails, claiming to be from a genuine company. They then feed you a story about a server crash, or that someone has broken into your account, and that you need to go to their site to verify your information.

Of course, the site is a fake, and you enter your username and password, which they then save to rob you blind.

For example, today I received not one, but two emails claiming to be from paypal, both of them exactly the same. Here they are in their entirety:

Dear PayPal,We recently noticed one or more attempts to log in to your PayPal accountfrom a foreign IP address.If you recently accessed your account while traveling, the unusual log inattempts may have been initiated by you. However, if you did not initiatethe log ins, please visit PayPal as soon as possible to verify youridentity:https://www.paypal.com/us/cgi-bin/webscr? cmd=_login-runVerify your identity is a security measure that will ensure that you arethe only person with access to the account.Thanks for your patience as we work together to protect your account.Sincerely,PayPal                    PROTECT YOUR PASSWORD   NEVER give your password to anyone and ONLY log in athttps://www.paypal.com/. Protect yourself against fraudulent websites byopening a new web browser (e.g. Internet Explorer or Netscape) and typingin the PayPal URL every time you log in to your account.----------------------------------------------------------------      Please do not reply to this e-mail. Mail sent to this address cannot beanswered. For assistance, log in to your PayPal account and choose the"Help" link in the header of any page.Sincerely, Richard PayPal Community Support PayPal, an eBay Company

I knew instantly that this was a fake…basically; I don’t have a paypal account.

However, there are many people out there who do have paypal accounts, and for the non-computer savvy, they may be convinced by it.

It’s one of the most annoying things about phishing is that it’s done on such a bulk scale. If you send out a million emails, and it only fools a half percent of the people it was sent to, that’s still 5000 people.

If I did have a paypal account, and did click that link, I’d be handing my login to a stranger, who would then go ahead and empty my account.

However, as annoying or as frightening as this is, these emails can be pretty easy to spot. However, the truth is that you don’t actually need to spot them. This is for one simple reason:


Basically, if you get an email from your bank, paypal or any other website asking for your information, it’s a scam, delete, ignore or report it.

However, just for fun, let’s look over this email and point out the flaws:

  1. The first is obvious. Look how they ‘greet’ me. ‘Dear Paypal’.

If this was a genuine letter, they would greet me by my name that I’d obviously have provided them with. At the very least, they’d greet me with ‘Dear Paypal Customer’. Obviously, the originator of this email doesn’t speak very good English, or they would have spotted it easily.

  1. ‘Foreign IP address’.

This would not be a form email. The scammer has said a ‘foreign’ email address because they probably have no clue of what country I’m actually in. Chances are they would have told me that actual country the transaction was made in. This isn’t a hard fast rule, but it’s a red flag.

  1. The request makes no sense.

Think about it. If this was genuine, why would they need me to give them my login information? If your bank calls you to query an unusual withdrawal, do they ask for your credit card PIN number? If I did have a paypal account, and it had been used in a foreign country they’d just check if I made the transaction myself, and tell me to inform them if the transaction was fraudulent.

  1. ‘Verify your identity is a security measure that will ensure that you arethe only person with access to the account.’

First of all, spot the grammatical error. ‘Verify’ instead of ‘verifying’. This also makes no sense. The alleged fraudster already has my login information, so why would me giving them my login info help anything? If this was real, they’d ask me to verify that the transaction was fraudulent, and then ask me to change my login information. Not verify it. Why didn’t the fraudster do this? Because changing my login on the official paypal site wouldn’t help them one bit.

  1. Double sign off.

Notice how they end the email twice? One is ‘sincerely, paypal’, and the other is cut and pasted, with no punctuation: “Sincerely, Richard PayPal Community Support PayPal, an eBay Company”

  1. The false security announcement.

This is meant to put our minds at rest. Obviously, if this was fraudulent, they wouldn’t be reminding us to protect our password!


The advice would be good, if it wasn’t for one thing. You see, typing the URL into a fresh browser window stops you from clicking a link to a fraudulent website. However, there are two things wrong with this. They tell you to type in the URL manually, but there’s a link that they you to click in the same email!

  1. Look closely at the paypal address.

See anything wrong with it? Look nice and close.

Since when did a standard URL begin with ‘HTTPS’ instead of ‘HTTP’? The address isn’t genuine. This is another common thing in phishing, Ask the potential mark to come to the ‘official’ site, but change the address slightly, so it looks genuine, but is actually sending you to an alternate, fraudulent site. For example, www becomes www2. HTTP becomes HTTPS. .com becomes .co.uk.

Well, you get the idea.

You see, computer crime is an incredibly clever business. Well, successful computer crime is.

Luckily for us, phishing has become a major industry for anyone who wants to make a fast, illegal buck. Why is this lucky? Because these people think it’s easy. The vast majority of Phishers are people who have very rudimentary computer knowledge. They assume that the people they’re scamming are as dumb as they are…meaning that these things are incredibly easy to spot.

Someone gets on the internet, sets up an email address, and bulk emails a few million people, asking for their login information to banks, online stores anything.

Believe it or not, the above email is one of the more ‘sophisticated’ scams. A lot of people simply send an email that says:

“Dear Customer,

This is an automated email from (Random Bank). Due to a server crash, we have lost a large percentage of our online customer’s information. Please email your username and password to:


Yours Sincerely

Some Asshole”

Yup, I’ve actually received an email like that, supposedly from Lloyds bank, which actually used a hotmail address.

Anyway, today’s story has a happy ending. This phisher thought that changing the return address to ‘admin@paypal.com’ was enough to fool me.

Luckily, I know what an email header is, and therefore know his real email address and his Internet Service Provider.

I emailed him with a ‘nice try’ message, and also emailed his Internet Service provider informing them that one of their users is a criminal, and also sent a copy of the email to the FBI fraud department.

I know the FBI probably won’t do anything, and at best, his ISP will simply deny him service, but at the very least it’ll make the guy shit his pants, and think twice before doing this again.

Anyway, in closing, just remember Rule One. Paypal, your bank or any other legitimate company will NEVER ask for your login information. They have backups for that.



MC Etcher said...

Good advice!

MC Etcher said...

Have you seen this